• CB ThreatHunter PSC Console: All Versions

. ? + * | { } [ ] ( ) " \

• Most difficulties arise when trying to search for command line arguments encoded in Base 64 (b64). RegEx can be used to match tokens but not the entire command line, especially in the case of commands longer than 64 characters where it is then too long to index in a performant manner. To aid in finding longer encoded commands the field process_cmdline_length has been added, which can be used to find longer commands while still using RegEx.

  Command Line 1
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -encodedcommand aQBwAGMAbwBuAGYAaQBnACAALQBhAGwAbAA=
  
  RegEx 1
  process_name:powershell.exe AND process_cmdline:/[a-zA-Z0-9]+={0,3}/
  
  Command Line 2
  C:\Windows\System32\WindowsPowershell\v1.0\powershell -noP -sta -w 1 -enc wBJAE8ATgBUAEEAQgBMAEUALgBQAFMAVgBlAHIAcwBpAG...(total 4285 characters)
  
  RegEx 2
  process_name:powershell.exe AND process_cmdline:powershell\ -noP\ -sta\ -w\ 1\ \-\enc AND process_cmdline_length:[4280 TO *]
  

  
  In the second example, there are enough unencoded characters to serve as the basis for the search with only '\' to escape spaces between characters. Coupling that with process_cmdline_length allows for making the search more specific based on the total number of characters in the command line, without focusing on specific characters or patterns of characters in the encoded section.
• Specifying character classes (\d \D \w \W \s \S) is not supported
• Forward slash '/' is treated as a path character and will break b64 encoded commands into multiple tokens